The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability information about software used in Japan is aggregated for IT users to easily access vulnerability information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2017/2Q

~ JVN iPedia now stores 70,996 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2017 (April 1 to June 30, 2017) is shown in the table below. As of the end of June 2017, the total number of vulnerabilities stored in JVN iPedia is 70,996 (Table 1-1, Figure 1-1). Since the start of 2017, the number of vulnerabilities published by NVD has been on the rise. It was 2,687 last quarter, and 3,511 this quarter, increasing yet again.

As for the English version, the total of 1,728 vulnerabilities are available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 2nd Quarter of 2017

Information Source

Registered Cases

Cumulative Cases

Japanese Version

Domestic Product Developers

3 cases

183 cases

JVN

310 cases

7,470 cases

NVD

3,198 cases

63,343 cases

Total

3,511 cases

70,996 cases

English Version

Domestic Product Developers

3 cases

183 cases

JVN

89 cases

1,545 cases

Total

92 cases

1,728 cases

1-2. Hot Topic #1: WordPress Pug-in Vulnerabilities

~ More than eighty percent were serious enough to possibly result in service outage ~

In June 2017, several Japanese websites using a WordPress plug-in (*4) "WP Job Manager" were hacked by attackers who exploited a vulnerability in the plug-in. The vulnerability allowed attackers to upload image files without logging into the websites, resulting in website defacement. Since the similar incidents seemed imminent, IPA issued an emergency security alert (*5) for the plug-in users.

Table 1-2 is a list of WordPress plug-in vulnerabilities registered to JVN iPedia this quarter.

Table 1-2. WordPress Plug-in Vulnerabilities Registered to JVN iPedia from April 2017 to June 2017

There were 37 vulnerabilities including JVNDB-2017-000139, for which IPA issued an above-mentioned security alert, and the severity of more than 8 present (30 vulnerabilities) were higher than Level II (CVSSv2 score 4.0 - 6.9). The severity means those vulnerabilities are serious enough to possibly result in service outage.

Figure 1-2 is a pie chart of CWEs appeared in Table 1-2 above.

As shown in the chart, cross-site scripting (CWE-79) accounts for 51.4 percent, followed by SQL injection (CWE-89) and path traversal (CWE-22) for 13.5 percent. SQL injection vulnerability, for example, could allow attackers to do malicious things including data modification, theft and/or leak.

WordPress vulnerabilities lie not only in the WordPress itself but also in its plug-ins and could just as well cause serious security incidents. The system operators and administrators who are responsible for systems using a content management system (CMS), such as WordPress, need to watch out for updates for the CMS software itself as well as for its plug-ins.

IPA issues emergency security alerts for vulnerabilities in widely-used software as necessary. The alerts can be received as soon as they are issued through the service called “icat for JSON (*6). System operators and administrators can check out those information services to help facilitate their mission to mitigate vulnerabilities.

1-3. Hot Topic #2: DLL Hijacking Vulnerabilities

~ Twenty-nine vulnerabilities reported this quarter – the highest number in the last three years ~

Through the Information Security Early Warning Partnership (*7), many DLL (*8) hijacking vulnerabilities were reported to IPA and registered to JVN iPedia this quarter. DLL hijacking is that when an application like installer or self-extracting archive is executed, the application loads a DLL file placed in the same directory as the application in preference to a legitimate DLL file located in the Window’s system directory. Some malware are observed to exploit such behavior of vulnerable applications to spread the infection (*9).

Figure 1-3 shows the quarterly changed in the number of DLL hijacking vulnerabilities registered to JVN iPedia from the 3rd quarter of 2014 to this quarter. The easiness to spot this vulnerability may have contributed to the sudden increase of the vulnerability reports.

Table 1-3 is a list of some DLL hijacking vulnerabilities registered to JVN iPedia this quarter. The severity of them are relatively high (CVSSv2 base score 6.8 falls under the severity level II), which means the effect of successful attacks could be potentially large.

Developers of installer builders and file compression/extraction tools, installers and self-extracting archives should take the following measures (*10) to protect users. Likewise, application users should take the following measures when executing an installer or self-extracting archive.

Installer builder and file compression/extraction tool developers

Installer and self-extracting archive developers

When you find vulnerability information on the installer builders or file compression/extraction tool you are using, update it to the fixed version. Also, when you modify command execution, make sure that the commands in the legitimate and intended directory are executed.

Application users

Before executing an installer or self-extracting archive, make sure that there are no suspicious file in the same directory as the installer or self-extracting archive, or create a new directory and copy the installer or self-extracting archive there for execution. It is also strongly recommended that you do not execute an application downloaded from the Internet in the download directory. If you execute the installer or self-extracting archive in the download directory where a maliciously-crafted DLL file has been placed at some point in time, the installer or self-extracting archive may load the malicious-crafted DLL file when it is executed.

2. Details on JVN iPedia Registered Data

2-1. Types of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 2nd quarter of 2017, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 2nd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 559 cases, followed by CWE-284 (Improper Access Control) with 364 cases, CWE-264 (Permissions, Privileges and Access Controls with 316, CWE-200 (Information Exposure) with 302, CWE-79 Cross-Site Scripting) with 289. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*11) and "Secure Programing Guide" (*12) and "AppGoat" (*13), a hands-on venerability learning tool, for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.

To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*14) severity score since December 1, 2015 (*15).

2-3. Types of Software Reported with Vulnerability

Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 73.3 percent of the 2017 total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 2nd quarter of 2017, the total of 1,091 ICS vulnerabilities have been registered (Figure 2-4).

2-4. Products Reported with Vulnerability

Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 2nd quarter (April to June) of 2017. Ranked 1st is ImageMagick, an image processing software, with 151 vulnerabilities. The background being that NVD has published its vulnerabilities in bulk including those found before 2017 and not that a lot of ImageMagick vulnerabilities have been found this quarter. Many operating systems made the top 20 list. As seen in Table 2-1, popular vendors’ software, such as Microsoft's and Apple's, are ranked in.

Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in business and at home in Japan. IPA hopes software developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action in a timely manner (*16).

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 2nd quarter of 2017 (April – June).

An improper access control vulnerability in Intel Active Management Technology was ranked 1st and became a hot topic since the vulnerability could affect a large number of organizations if the technology was used on their servers, making system administrators scrambled to respond.

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.

Footnotes

(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.https://jvn.jp/en/

(*6) A security information service that displays IPA security alerts in one’s website in real-time. Used by more than 1,000 websites including companies, government agencies and educational institutions.https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)